Cyber Resilience

CVE-2021-44168

LowCISA KEVActive ExploitationEUVD Exploited

Published: 04 January 2022

Published
04 January 2022
Modified
24 October 2025
KEV Added
10 December 2021
Patch
CVSS Score v3.1 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0115 78.9th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-44168 is a low-severity Download of Code Without Integrity Check (CWE-494) vulnerability in Fortinet Fortios. Its CVSS base score is 3.3 (Low).

Operationally, ranked in the top 21.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2021-44168 is a download of code without integrity check vulnerability, tracked under CWE-494, that affects the "execute restore src-vis" command in FortiOS versions prior to 7.0.3. The flaw resides in the handling of update packages for this command and carries a CVSS v3.1 score of 3.3.

A local authenticated attacker can exploit the issue by supplying specially crafted update packages, resulting in the device downloading arbitrary files without verification. The attack requires local access and low privileges but does not impact confidentiality or availability, only limited integrity on the target system.

FortiGuard advisory FG-IR-21-201 addresses the vulnerability and indicates that FortiOS 7.0.3 and later releases contain the fix. The CVE is also listed in the CISA Known Exploited Vulnerabilities catalog, confirming observed real-world exploitation activity.

EU & UK References

Vulnerability details

A download of code without integrity check vulnerability in the "execute restore src-vis" command of FortiOS before 7.0.3 may allow a local authenticated attacker to download arbitrary files on the device via specially crafted update packages.

CWE(s)
KEV Date Added
10 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

fortinet
fortios
≤ 6.0.14 · 6.2.0 — 6.2.10 · 6.4.0 — 6.4.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic or other integrity verification of software, firmware, and update packages before they are applied, blocking the exact CWE-494 flaw in the restore command.

prevent

Mandates that system components and update packages be digitally signed and that signatures are validated prior to installation or execution.

prevent

Requires verification of component authenticity and provenance, which would detect or reject the specially crafted unsigned update packages used in this attack.

References